Discrete logarithms in curves over finite fields 

Andreas Enge 



Logarithme, s. m. (Arithmet.) nombre d'une progression 
arithmetique, lequel repond a un autre nombre dans une 
progression geometrique. 

- Encyclopedia of Diderot and d'Alembert 



The discrete logarithm problem in finite groups is one of the supposedly difficult 
problems at the foundation of asymmetric or public key cryptography. The first 
cryptosystems based on discrete logarithms were implemented in the multiplicative 
groups of finite fields, in which the discrete logarithm problem turned out to be 
easier than one would wish, just as the factorisation problem at the heart of RSA. 
The focus has then shifted towards elliptic and more complex algebraic curves over 
finite fields. Elliptic curves have essentially resisted all cryptanalytic efforts and 
to date yield the cryptosystems relying on a number theoretic complexity assump- 
tion with the shortest key lengths for a given security level, while other classes of 
curves have turned out to be substantially weaker. This survey presents the history 
and state of the art of algorithms for computing discrete logarithms in non-elliptic 
curves over finite fields; the case of elliptic curves is touched upon, but a thorough 
treatment would require an article of its own, see [101 Chapter V] and [42] . For 
a previous survey on hyperelliptic curves in cryptography including the discrete 
logarithm problem, see [37) . 

Let us fix the notation used in the following. Given a cyclic group (G, +) of 
order TV, generated by some element P, the discrete logarithm of Q S G to the 
base P is given by the integer x = logQ = log P Q, uniquely determined modulo 
N, such that Q — xP. The discrete logarithm problem (DLP) in G is to compute 
x given Q. A cryptosystem is said to be based on the discrete logarithm prob- 
lem in G if computing discrete logarithms in G breaks the cryptosystem (in some 
specified sense). Note that it is usually unknown whether breaking the system is 
indeed equivalent to the discrete logarithm problem (but see the treatment of the 
computational Diffie-Hellman problem in Section [L2]) . 

Figure [T] illustrates the complexity of the discrete logarithm problem depending 
on N, as it presents itself in a number of groups suggested for cryptographic use. 
In the following sections, we will examine more closely algorithms in each of the 
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complexity classes, going from the slower to the faster ones, that at the same time 
apply to a more and more restricted class of groups. 
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FIGURE 1. Complexity of the DLP in different groups 



1. Exponential algorithms 

1.1. Generic algorithms. A certain number of algorithms allows to compute 
discrete logarithms generically using only group operations in G, independently of 
the concrete representation of its elements, under the only assumption that each 
group element is represented canonically by a unique bit string. 

Note first that the decisional version of the DLP is easy: Given Q and a can- 
didate x for its discrete logarithm, it suffices to compute xP and to compare it to 
Q in order to check whether x is the correct logarithm. Hence the DLP may be 
solved with 0(N) group operations by exhaustive search. 

This complexity may be reduced to 0(>/N). Shanks's baby-step giant-step 
algorithm |64j computes first the baby steps iP for < i < \VN] and stores 
them in a hash table; then the giant steps Q — j \VN ] for < j < \y/N ] are 
computed and looked up in the hash table containing the baby steps. As soon as 
a collision iP = Q — j\yW\P occurs, the discrete logarithm x = i + j\VN~\ is 
readily deduced. This deterministic algorithm performs 0(yN) group operations 
and requires storage space for 0(-\fN) elements. 

A probabilistic approach due to Pollard |59j allows to dispense with the storage 
requirements. The basic idea is to compute random linear combinations B4 — 
a L P + biQ. When a collision Ri = Rj occurs, the discrete logarithm is given 
by x = — mod N if bj — bi is invertible modulo N] otherwise, at least the 
partial information x mod gc d(j\/b ■-&■) ^ s obtained. As such, the algorithm has an 

expected running time of 0(y/~N), but still needs to store 0{s/N) group elements. 
By replacing the random choice of ai and bi by a pseudo-random walk such that 
Ri+i depends only on Ri, and by looking for collisions exclusively of the form 



DISCRETE LOGARITHMS IN CURVES OVER FINITE FIELDS 



3 



Ri = R2i, one recovers Pollard's g algorithm, that heuristically takes a time of 
0(y/~N) with constant storage. For a more advanced analysis, see |68j . 

Alternatively, one may use an approach admitting a simple parallelisation due 
to van Oorschot and Wiener [57j . First of all, distinguished points are defined 
as group elements with an easily recognisable property that occurs with a well- 
controlled probability, such as a certain number of zeroes in their binary represen- 
tation. Several pseudo-random walks are started in parallel from different points. 
As soon as a distinguished point is reached, it is reported to a central machine that 
stores it and performs the collision search on only the stored elements. 

The existence of a canonical representative for each element is crucial for the 
algorithms of complexity 0(y/~N); it allows to store the elements in a hash table and 
to perform a search in essentially constant time. If the collision search required a 
test for equality with each of the stored elements, the complexity would raise again 
to O(N). 

A classical trick described in [58] consists in reducing the DLP to a series 
of discrete logarithm computations in the subgroups of order p of G for primes 
p dividing N. First of all, if e is the largest exponent such that p e \N, one has 
x mod p e — log(jv/ p e).p C^Qjt the Chinese remainder theorem allows to compose 
these discrete logarithms in the Sylow subgroups of G to obtain x. So without 
loss of generality, we may henceforth assume that N = p e is a prime power. Sim- 
ilarly, xq = a; mod p is obtained as log p(: -ip(p e_1 Q); then, x\ — x ~^° mod p as 
log pC -i P (p e ~ 2 ((2 — xqP)) and so on, so that the decomposition in base p of x 
is computed via a series of discrete logarithms in the subgroup of order p of G. 
Combined with the algorithms of square root complexity presented above, discrete 
logarithms may be computed with 

f E e Vp) 

\p'\\N J 

group operations, where the sum is taken over all prime powers p e such that p e \N 
and p e+1 \ N . So the maximal level of security reachable in a cryptosystem based 
on the discrete logarithm problem depends essentially on the largest prime factor 
of the group order. For prime N, this corresponds to the straight line in Figure [TJ 

1.2. Lower bounds. It would be interesting to know if a minimal difficulty 
of the DLP may be guaranteed. Nechaev and Shoup provide a partial answer in 
|56L 165] : If the only operations permitted are additions in the group and N is 
prime, then Cl(y/~N) operations are needed to compute discrete logarithms with a 
non-negligible probability. To bypass this lower bound, an algorithm needs to take 
into account the particular representation of the group elements that distinguishes 
G from the abstract cyclic group of order N. 

Let us make a digression and briefly discuss the computational Diffie-Hcllman 
problem (CDH), that is known to be equivalent to the security of a certain number 
of cryptosystems. It consists in computing abP given the group elements P, aP 
and bP. In the same article 1651 . Shoup shows that a generic algorithm for CDH 
requires fi(V^V) operations in a group of prime cardinality N. Even the decisional 
Diffie-Hellman problem DDH (given P, aP, bQ and a candidate Q, decide whether 
Q = abP) has the same minimal complexity in this setting. 
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Maurer and Wolf have shown the equivalence between CDH and DLP indepen- 
dently of their difficulty in [52] . Trivially, being able to solve DLP leads to solving 
CDH. For the converse direction, the authors consider the case that N is a prime 
such that there is an auxiliary group H, algebraic over Fjv, into which Fjv may be 
embedded in a probabilistic sense (the image of an element need not exist, but in 
this slightly perturbed element must have an image). For instance, H may 

be an elliptic curve defined over Fjv, and the image of x 6 Fjy is given by a point on 
H with abscissa x, if it exists; otherwise, one may continue with x + e for a small 
integer e. If in this situation the DLP in H can be solved by an algebraic algorithm 
carrying out n group operations, the DLP in G can be solved by an algorithm mak- 
ing essentially n calls to an oracle for CDH in G. If the order of H is sufficiently 
smooth (that is, it does not have prime factors exceeding a polynomial in log AT), 
the algorithms of Section 11.11 applied to H lead to a polynomial time equivalence 
between CDH and DLP in G. Notice that only the order of G plays a role in this 
argument, but not the concrete representation of its elements. Using the fact that 
all integers in the Hasse interval around N appear as cardinalities of elliptic curves 
over Fjy and assuming heuristically that they have the same factorisation pattern 
as random integers of the same size, Maurer and Wolf show the existence of an 
auxiliary group H such that the reduction becomes polynomial. Finding the group 
via complex multiplication, however, may take exponential time. If a subexponcn- 
tial reduction in L(l/2) is considered sufficient instead of a polynomial reduction, 
it should be possible to find the group in the same subexponcntial time. 

The generic, exponential algorithms are for the time being the only ones that 
may be applied to arbitrary elliptic curves. Some particular elliptic curves admit an 
embedding into another group in which discrete logarithms are considerably easier 
to compute, but these curves have a very low density: They are supersingular and 
other curves with a low embedding degree into the multiplicative group of a finite 
field [53|, 132] : subgroups of order p defined over a finite field ¥ q of characteristic 
p, that may be embedded into the additive group (¥ q , +) [61\ \62\ I66j: and elliptic 
curves that may be embedded by Weil descent into the Jacobian of a hyperelliptic 
curve of low genus following an idea suggested by Frey in |31j , see |34l 118) and [42] 
and the references therein. Weil descent provides another motivation for examining 
more closely curves of genus larger than 1 . 

2. Subexponential algorithms of complexity L(l/2) 

2.1. The subexponential function. Under the designation subexponential 
function, one might subsume all functions that grow more slowly than exponentially, 
but faster than polynomially. In the context of discrete logarithm or factorisation 
algorithms, the following more restrictive definition appears naturally: 

Definition 1. The subexponential function with parameters a € (0,1) and 
c > with respect to the argument N is given by 

L N (a,c) = eC (i°gA r rOogiogA f ) 1 - Q . 

To simplify the notation, we let 

I/jv(a) = {Lx(a, c) : c > 0} 

and omit the subscript N when it is understood from the context. 
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In the following, we will focus on the parameter a, that has the biggest influence 
on the growth of the function. The parameter c is often called the constant of the 
subexponential function, although it appears in fact in the exponent, so that its 
influence is far from negligible. 

The traditional notation Ln may lead to confusion, as in terms of complexity, 
one has to assume that a problem with N possible inputs is specified by log N bits, 
and subexponentiality has to be understood with respect to logiV rather than N: 

• The extreme case a = 0, excluded by the definition, leads to the polyno- 
mial log N; 

• the other extreme case a = 1 leads to the exponential N c ; 

• as intermediate values, essentially a = 1/2 and a = 1/3 occur in the 
contexts of discrete logarithms and of factorisation. Two typical functions 
are traced in Figure [TJ 

The following computation rules are easily checked: 

ijv(a, ci) • L N (a, c 2 ) = L N (a, c\ + c 2 ) 
(1) log fc N € L(a, o(l)) for any k, and more generally, 

L N (/3,d) e L N (a,o(l)) for /3 < a. 

In particular, if a polynomial time operation is repeated Ljv(a, c) times, the result- 
ing complexity is in L^{a,c + o(l)); this is why Definition [1] is often modified to 
allow a o(l) term in the constant. 

2.2. An algorithm for finite fields. Subexponential algorithms for discrete 
logarithms usually proceed in two stages: In the first stage, called sieving or rela- 
tion collection, an integral matrix is filled with relations; the linear algebra stage 
solves the resulting system modulo the group order and yields the discrete loga- 
rithms of certain elements; a third, comparatively inexpensive stage may be needed 
to compute individual logarithms. It has become common to call this kind of algo- 
rithm "index calculus", a rather unfortunate terminology, since "index" is tradition- 
ally used as a synonym for "logarithm". Already the encyclopedia by Diderot and 
d'Alembert, published between 1751 and 1772, gives the following definition: "In- 
dex, en terme d'Arithmetique, est la meme chose que la caracteristique ou l'exposant 
d'un logarithme. Voyez Logarithme." [17]. 

The basic idea of creating relations and of combining them linearly for comput- 
ing discrete logarithms (and for factoring) has been published by Krai'tchik in the 
twenties |46i Chapter 5, §§14-16]. In 1979, the algorithm has been rediscovered by 
Adleman and presented with the analysis of its subexponential complexity for the 
case of finite prime fields. It is easily generalised to ¥2™ (for the reasons explained 
in Section |2~5|) . In the following, we describe a slightly modified version. 

To recall the problem, let P be a primitive element of ¥2™ and Q £ F^L ; we 
wish to compute x such that Q = P x . The finite field is conveniently represented as 
F2[A]/(/) with / an irreducible polynomial of degree m, such that an element of ¥2™ 
may be considered as a binary polynomial of degree less than m. This representation 
of the field elements by polynomials introduces notions that in principle have no 
meaning in a field: It is now possible to speak of irreducible elements, the degree 
of the polynomials leads to a notion of size of the elements, and there is a unique 
factorisation of elements into irreducibles. In fact, the factorisation is no more 
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unique as soon as the restriction on the degrees is lifted, as several elements of 
Fa[X] may represent the same element of the finite field. 

Algorithm 2 

Input: P a primitive element of F 2 n, = ¥ 2 [X]/(f), Q £ F*„ 
Output: x such that Q = P x 

(0) Let N = 2 m — 1 . Fix a smoothness bound B £ N and compute the factor 
base J — {pq. . . . ,p n } containing the irreducible polynomials over F 2 of 
degree at most B and P — pq. Prepare an empty matrix A with n columns 
and r rows and an empty vector b with r rows for some r slightly larger 
than n. 

(1) repeat for i — 1, ...,r 

repeat 

draw random exponents £ {0, . . . , N — 1} for j = 0, . . . , n 

compute YYj=o Pj™ m °d / 

if the result factors over J as Ilj=o Pj 

there is a relation 0?=i Pj 3 = P~ ata in ¥2™ with a%j = — 
add (dy)™ = i to the matrix A and — a iQ to the vector b 
until success in creating a new relation 

(2) Solve the linear system Ay = b modulo N, so that yj = log P pj. 

(3) Create an additional relation QJIp^ = YiPj 3 as above; return x — 

This version of the algorithm separates the linear algebra of stage 2 and the 
computation of individual logarithms of stage 3, that may be repeated as many 
times as desired. Alternatively, it would be enough to add the target Q to the 
factor base and to stop after stage 2. 

The complexity of the algorithm depends essentially on the probability that a 
polynomial of degree at most m — 1 decomposes completely over the factor base, 
otherwise said, that it is B-smooth. If the factor base size n is polynomial, this 
probability decreases exponentially; for it to decrease polynomially, one would need 
n to be exponential. The optimal value is somewhere in between; precisely, for B 
chosen such that n £ L(l/2), the probability of obtaining a relation is in l/L(l/2) 
(see [9] and Section l2~5|) . Hence, the expected number of iterations for obtaining one 
relation is in L(l/2), and the process has to be repeated r £ 0(n) C L(l/2) times 
to fill the matrix. As all the basic operations of the algorithm are polynomial or in 
L(l/2) (for instance, the linear algebra stage is polynomial in n), the computation 
rules {l} show that the total complexity of the algorithm is in L(l/2). Smoothness 
is discussed in more generality and a more detailed complexity analysis is developed 
in Section [231 

Notice that the subexponential complexity of Algorithm [5] does not contradict 
the exponential lower bounds of Section 11.21 We clearly make use of the particular 
representation of the elements of Fj m — Z/iVZ by polynomials, and the algorithm 
is far from generic. 

2.3. Arithmetic of Jacobians. In the light of Section LOl it is clear that we 
need to take a closer look at the representation of elements and at the group law 
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associated to an algebraic curve. To arrive at the analogue of Algorithmic our aim 
is to show that these elements behave essentially like polynomials. 

Curves over algebraically closed fields. For the time being, let us consider a 
curve C defined by a non-singular irreducible polynomial C(X,Y) over an alge- 
braically closed field K . The points on C are the [x, y) € K 2 such that C(cc, y) = 0. 
Non-singularity means that for no point (x, y) on the curve, the partial derivatives 
^■(x, y) and ^(x, y) vanish simultaneously. There is an integer g, called the genus 
of the curve, that is closely related to the degree of C if the equation is "reasonable", 
and that measures, roughly speaking, how "complicated" the curve is. For instance, 
a hyperelliptic curve in characteristic different from 2 is given by a non-singular 
polynomial C = Y 2 — X 2g+1 — f(X) with / of degree at most 2g; the case g — 1 is 
that of an elliptic curve. A more general case is that of superelliptic curves, defined 
by a non-singular polynomial Y a — X b — f(X) with / of degree less than b and 
gcd(a, b) = 1 when the characteristic of K is coprime with a. By admitting certain 
mixed terms, one obtains the most general curves that have been suggested for use 
in cryptography, namely G a ,b curves, given by a non-singular irreducible polynomial 
of the form 



with gcd(a, b) = 1 when the characteristic of K divides neither a, nor b. The genus 
of these curves is given by g = ( n ~ 1 H 6 ~ 1 ) _ 

To a curve, one can associate its coordinate ring K[C] = K[X, Y]/ (C), the ring 
of polynomial functions from the curve to the field K. In the case of a C a ,f, curve, 
K[G] can be seen as the set of polynomials of arbitrary degree in X and of degree at 
most a — 1 in Y, since each occurrence of Y a may be replaced by X b + CijX % YK 
The field of fractions of K [6] is denoted by K (C) and is called the function field 
of 6; it consists of the rational functions from the curve to K . 

Except for elliptic curves, the associated group does not consist of only the 
points on the curve. Instead, one has to consider the Jacobian J(C) of the curve, 
an abelian variety. In practice, it is preferable to work with the isomorphic group 
(denoted by Pic (6) or again by J(C)) of divisor classes of degree 0. Define the 
group of divisors of C by 



the set of finite formal sums of points with potentially negative coefficients. This 
definition is in fact slightly wrong; instead of only considering points on the affinc 
curve, one needs to also take into account "points at infinity" on the projective 
closure of 6. Moreover, the projective closure will usually be singular at infinity; 
instead of a singular point, one needs to consider several points corresponding to 
its resolution on a non-singular model. Equivalently, one may define divisors as 
formal sums of places of the function field K (C) instead of points. Function fields 
of hyperelliptic or, more generally, C a .b curves are particular in that they have only 
one place at infinity; so it suffices to augment the set of points by one additional 
special point called oo. 

The degree of a divisor is given by 




(i,j):ai-\-bj<ab 
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The degree 1 divisors containing only one point with multiplicity 1 are called prime; 
indeed, they constitute indivisible atoms, and any divisor may be written uniquely 
as a sum of prime divisors. 

Associate to a rational function / G K(C) its principal divisor, containing its 
zeroes with positive and its poles with negative multiplicities. At oo on a C a ,b curve, 
the function X has a pole of order b, the function Y a pole of order a; the order at 
oo of any other function may be deduced by the triangular inequality. It turns out 
that the degree of a principal divisor is 0, otherwise said, a rational function has 
as many zeroes as poles, counting multiplicities. Let Div°(C) denote the group of 
degree divisors and Prin(C) its subgroup of principal divisors; then the Jacobian 
is given by 

J(e) = Div°(e)/Prin(e). 

Given oo (or any other point on the curve, for that matter), there is a natural 
isomorphism 

Div°(e) -> Div'(C), ^rnpP^ ^m P P, 

P P^oo 

where Div'(C) denotes the subgroup of Div(C) of divisors not containing oo in 
their support. The inverse isomorphism is obtained by adding the right multiple 
of oo to obtain a degree divisor. By the Riemann-Roch theorem, each class 
of J(C) can then be represented by a unique effective or positive divisor (that 
is, without negative coefficients) in Div'(C) of minimal degree, which is called its 
reduced (along oo) representative. Its degree is moreover bounded by the genus g. 

The coordinate ring K [6] is in fact the set of functions without poles at infinity 
(or otherwise said, the integral closure of K [X] in K(Q)). But since for curves, 
oo is the only point at infinity, this implies that the affinc points on the curve are 
in bijection with the prime ideals of K[G], that Div'(C) is isomorphic to the group 
of fractional ideals of K [6] and that J (6) is isomorphic to the ideal class group of 
K[Q]. This observation allows to switch to the standard representation of ideals in 
extensions of Dedekind domains: Any divisor D £ Div'(C) may be represented by 
an ideal of K[G] in the form 

(2) D = {d)(u,w) 

with d, u G K[X] monic and w G K [6] (cf. [H § 163, p. 461] or [52 Th. 17] for a 
proof in the number field case). The polynomial w may be taken to be monic and, 
for a C a ,b curve, of degree less than a in Y. Since (d) is principal, any element of the 
Jacobian is represented as (u, w). Even without recourse to the theory of Dedekind 
rings, the existence of such a representative may be shown by choosing u G ^[-X] 
having as zeroes (with the right multiplicities) the A-coordinates of the points in 
the divisor D, and by letting the bivariate polynomial w interpolate (again with the 
correct multiplicities, which requires some care) the ^-coordinates. Notice that a 
prime divisor P = (x, y) is characterised by a representative, namely (X — x, Y — y), 
in which the first polynomial is irreducible. 

Relying on the representation @ of divisors, the algorithm realising the group 
law in a Jacobian works with polynomials and proceeds in two steps: The composi- 
tion step corresponds to the addition of the divisors respectively the multiplication 
of the ideals, while taking out principal ideals (d) of K[X] that may appear; es- 
sentially, this is Lagrangian interpolation. The reduction step computes for the 
resulting divisor, that is generically of degree 2g, its unique reduced representative 
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of degree at most g; this part of the algorithm depends heavily on the curve. Effi- 
cient algorithms for arbitrary curves have been developed by Hefi and Khuri-Makdisi 
[40L 144) . For hyperelliptic curves, see, for instance, [12L 1231 1481 138| : for superel- 
liptic curves, see |33l 18], for G a ,b and in particular 63,4 curves, see [H [5], 1301 [1]. 

Curves over finite fields. In order to obtain finite groups, it is clearly necessary 
that the curves under consideration be defined over a finite field K = F q . Contrarily 
to what one might expect, it is not sufficient to emulate the construction made 
for algebraically closed fields: When adding two elements containing only points 
defined over F 9 , the reduction may result in a divisor containing points defined over 
an extension field. To save the situation, one needs to resort to Galois invariancc 
and consider the Frobenius automorphism of ¥ q , x 1— > x q , that yields naturally the 
endomorphism tp : <— > (x q ,y q ) on the points of the curve defined over ¥ q . It 
is trivially extended to divisors and rational functions. The groups Div, Div° and 
Prin may thus be defined as above as sets of divisors defined over F q , but with 
the additional restriction that they be invariant under ip. To obtain Div' in an 
analogous manner, one furthermore needs 00 to be defined over F ? , which is the 
case for all curves under consideration. So once again, we end up with the ideal class 
group of K[G}. The elements of the Jacobian are represented as above by ideals 
(it, w), now with u and w having coefficients in ¥ q . The algorithms of composition 
and reduction remain unchanged; their algebraic nature implies that they have no 
"conscience" of the field over which they work. 

By Weil's theorem |70j . the order of the Jacobian of a curve C of genus g defined 
over F q satisfies 

(3) (^-i) 2 ^|j(e)K(vg + i) 29 - 

Composition and decomposition. The previous discussion shows that the arith- 
metic of the Jacobian groups of the curves under consideration boils down to that 
of bivariate polynomials. But as far as discrete logarithms are concerned, the group 
elements even behave essentially like univariate polynomials. 

As a consequence of Weil's theorem, the majority of elements of the Jacobian is 
represented by (u, w) with degu — g, w — Y — v(X) and degw = g — 1. When two 
distinct elements D\ — (m, Y — vi) and D2 = (1*2, Y — V2) are to be added, with 
overwhelming probability one has gcd(ui,U2) = 1, or otherwise said, the points in 
D\ have distinct A-coordinates from those in Di- Then the result of the compo- 
sition is D\ + D2 = (u, Y — v) with u = u\U2 and v the Lagrangian interpolation 
polynomial such that Vi = v mod it^, which is in fact independent of the curve. The 
composition step for doubling a divisor [u\,Y — v\) usually results in (u,Y — v) 
with u = u\ and v a Hensel lift (that depends on the curve). As long as degu 
does not exceed g, in general no reduction occurs. Otherwise, the reduction step 
is also specific to the curve. So adding divisors corresponds to multiplying the u- 
polynomials in F 9 [X] and updating the ^-polynomials accordingly followed by a 
reduction step. In this sense, the addition in the Jacobian behaves like multiplica- 
tion in FJ? +1 , which also proceeds by multiplying polynomials of degree at most g, 
followed by a reduction. 

Over a finite field ¥ q , a prime divisor is a divisor that cannot be written as 
a sum of two non-trivial divisors defined over the same field. Concretely, a prime 
divisor of degree k is given by the orbit D under the Galois endomorphism of a point 
P = (x, y) with coordinates x and y in F q k , but not both in the same subfield. A 
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typical representative occurs when x itself is not defined in a subfield of ¥ q k ; then 
D = (it, Y — v ) with u the minimal polynomial of degree k of x. (The other prime 
divisors have the form (u, w) with deg u a proper divisor of k and deg Y w = k/ deg u 
and occur in negligible numbers.) In any case, prime divisors are again characterised 
by having an irreducible first polynomial. 

As the decomposition of an element of F gS +i in Algorithm [21 the prime de- 
composition of a divisor of the form D — (u,Y —v) also boils down to factoring a 
polynomial in F g [A]; if u = Y[ U T > then D = ^2 e iDi with = (itj, Y — v mod Ui). 

2.4. Algorithms for hyperelliptic curves. The first subexponential algo- 
rithm for computing discrete logarithms in hyperelliptic curves of large genus de- 
fined over a finite field K = ¥ q is due to Adleman, DeMarrais and Huang [3]. It 
differs from Algorithm [5] essentially by the way in which the relations are created. 
Let the factor base J be given by all prime divisors of degree bounded by some 
smoothness bound B. Since principal divisors are zero in the Jacobian, it is suf- 
ficient to draw random polynomials of the form Y — v(X) and to compute their 
divisors (higher degrees in Y do not occur in hyperelliptic curves, since the poly- 
nomials may be reduced modulo the curve equation of degree 2 in Y). A smooth 
divisor, that is a divisor decomposing over 5F, directly yields a relation. This is the 
case if the norm of Y — v with respect to the function field extension K(Q)/ K(X), 
a polynomial in A, is £>-smooth. Assuming heuristically that norms behave like 
random polynomials of the same degree, the authors prove a complexity of L qg (1/2) 
whenever (2g + l) - 98 ^ logg. The result is heuristic for a second reason. Implic- 
itly, Algorithm [2] describes an isomorphism between the group and Z n modulo the 
lattice formed by the rows of the relation matrix. It is unclear whether the bounds 
one needs to impose on the degree of v for a subexponential running time allow to 
obtain a sufficiently dense lattice to yield the isomorphism. 

The first algorithm for discrete logarithms in hyperelliptic curves with a proven 
subexponential running time is given in [25] . Essentially, it is Algorithm [21 that 
applies directly to curves via the discussion at the end of Section 12.31 It relies 
on the fact, proved in [28 , that the proportion of smooth divisors is the same as 
the proportion of smooth univariate polynomials. (A similar result for the discrete 
logarithm problem in the infrastructure of a real quadratic function field can already 
be found in [54j : it also relies on the smoothness theorem of [28| .) The constant of 
the subexponential complexity depends on the growth of the genus g with respect 
to the finite field size q; precisely, a running time of 



is proved in [25j under the assumption that 5^1? log q. 

2.5. A general framework. The similarities between finite fields, Jacobians 
of curves and other groups in which subexponential algorithms in L(l/2) exist to 
solve the discrete logarithm problem, have motivated us to develop a framework 
that allows an abstract presentation and unified analysis independently of the group 
[26] . It is explained in the following to give a more detailed complexity analysis for 
Jacobians of curves, as it is not more involved than a treatment of only the curve 
case. 
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Let CP be a set of elements called prime, and let M be the free monoid over 
CP. Suppose there is an equivalence relation ~ in M, compatible with addition, 
such that G = M/~ is a group. Suppose furthermore that there is a size function 
deg : CP — > M^ 1 (extended homomorphically to M), which allows to define the factor 
base 2r as the set of prime elements of size bounded by a smoothness bound B. If 
the elements of G have canonical representatives in M (usually, the smallest ones), 
the unique decomposability of elements of M into primes is inherited by G. If 
some technical conditions on G concerning, for instance, the computability of the 
group law, the bit size of elements or the generation of G by Cf , are satisfied, then 
Algorithm [2] may be applied without modification to G. 

These notions have been introduced by Knopfmacher in [45] ; he calls M an 
arithmetical semigroup and G an arithmetical formation. Concrete examples are 
provided by prime fields F p , for which M = Z, deg is the logarithm and ~ is 
equivalence modulo p; and finite fields F p ™ = ¥ p [X]/(f), for which M = F p [X], 
deg is indeed the degree and ~ is equivalence modulo /. But also class groups of 
number fields, for which M is the set of integral ideals, deg is the logarithm of the 
norm and ~ is equivalence modulo prime ideals. And finally Jacobians of curves C 
over a finite field F g with a unique point at infinity, for which M = Div'(C), deg is 
the degree of a divisor and ~ is equivalence modulo principal divisors. 

It remains to prove the running time of the algorithm. For it to be in L(l/2), we 
need that a factor base of size £(1/2) implies a smoothness probability of l/£(l/2). 
Corresponding results can be found, for instance, in [60] for F p , in [9] for F^m, in 
1631 for class groups of imaginary-quadratic number fields (under the generalised 
Riemann hypothesis) and in [28] for hypcrelliptic curves of large genus. Having a 
closer look at these smoothness theorems, one realises that they are essentially all 
the same: For a factor base of size Ln(1/2, c), an element of size logiV is smooth 
with a probability of 1/Ljv(1/2, l/(2c) + o(l)). This result may be proved in M 
under an assumption analogous to the prime number theorem: The number of 
primes of size bounded by k must be of the order of for some q, see [501 149] , 
Then the number of elements of size at most x that are smooth with respect to 
a bound y is asymptotically (with some constraints on the respective growth of x 
and y) given by the value of the Dickmann-de Bruijn function g in u = -; and 
de Bruijn has shown in [11, (1.8)] that l/g{u) G e (i+°(i))«i°g« ) which provides the 
link with the subexponential function. 

Due to the equivalence relation, the smoothness result for M cannot be directly 
transferred to G. In a curve, for instance, there are non-reduced divisors of degree g, 
that as such do not occur as representatives of Jacobian elements. Nevertheless, 
the results of |63|, 128] provide examples of arithmetical formations in which the 
same smoothness behaviour may be observed; it is thus reasonable to accept it 
heuristically also in other contexts. 

Given the smoothness result, the complexity of Algorithm [5] may be easily 
verified. Let n — Ljv(l/2,d) denote the size of the factor base, with N the group 
order and d a parameter to be determined later; in the curve case, N must be 
replaced by q 9 , which makes sense in the light of Weil's theorem (|3|). If a group 
element may be decomposed over the factor base in time Ljv(1/2, o(l)) (which is 
the case for all groups under consideration), the time to create r — 0(n) relations 
in the first stage of the algorithm is in 

L N (l/2, o(l)) ■ L N (l/2, l/(2d) + o(l)) • Ml/2, d) = L N (l/2, d + l/(2d) + o(l)) 
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by CD- The linear algebra stage treats a sparse matrix of order Lat(1/2,g0 with 
-Ljv(l/2,d + o(l)) entries, as each relation has on the order of log TV coefficients. 
The Lanczos and Wiedemann algorithms of [471 171] run in time Ljv(1/2, 2d + o(l)) 
on these matrices. Hence, the total running time of the algorithm becomes 



For hyperelliptic curves, this running time holds when the field size q remains fixed 
and the genus g tends to infinity. When q grows as well, the discrete nature of the 
degree function starts to play a role, but a moderate growth of q may be tolerated 
(see also Section |2~o]) ; following the analysis of [25] . a running time of 



is obtained in |26j for the case that g ^ $ log q. 

An assumption that is implicit in Algorithm [2] need not be satisfied for curves: 
The group must by cyclic and of known order N. If this is not the case, one may 
replace the solution of a linear system by the computation of the Hermite and 
Smith normal forms of the matrix, which yields a complexity of Ljv(1/2) with a 
worse constant as, for instance, at the end of Section |2"TH see |24j . 

An algorithm of proved subexponential complexity in L qa (l/2 + e) is given by 
Couveignes in [16] for a large class of curves, not limited to hyperelliptic ones, under 
the mild assumption that the curve contains an F 9 -rational point and that the order 
of its Jacobian is bounded by q9+°(Vs) _ xhe approach is quite different from the 
one presented here and relies on a double randomisation, of the combination of 
factor base elements as well as of the choice of a function in a certain Riemann- 
Roch space. An algorithm without restriction on the input curve is given by Hefi 
in [41] , who thus proves a complexity of L qB (l/2) for all curves of large genus. 

2.6. The low genus case. At first sight, these algorithms do not seem to 
work in low genus. This is nicely illustrated by the case of elliptic curves, which 
are of genus 1, so that each reduced divisor contains exactly one point: Either, 
the smoothness bound is set to B = 1, in which case any divisor is smooth, and 
the matrix contains as many columns as there are elements in the group, that is 
around q. So the algorithm must be slower than the generic ones of Section 11.11 
of complexity O(^fq). Or the smoothness bound is set to B = 0, in which case 
no divisor is smooth. The problem stems again from the discreteness of B, that is 
smoothed out when the genus becomes larger. 

In fact, interesting results are already obtained for rather small genus, as 
first observed by Gaudry in [36] , Assume g to be fixed, while q tends to in- 
finity. Choose a smoothness bound of B = 1, so that the factor base is com- 
posed of divisors containing only one point. By the Weil bound, its size n satisfies 
\n — (q + 1)| ^ Zg^fq = O(yfq). The smooth reduced divisors are essentially the 
multisets containing g points (cf. Section I2.3P : asymptotically for q — > 00, multi- 
plicities do not play a role, so that the number of smooth reduced divisors is well 
approximated by (™) = + 0{q 9 ^ 1 / 2 ). As by ([3]) the Jacobian group has a size 



Xjv(l/2,max(d+ \/{2d) 1 d) +o(l)). 
This quantity is minimised by d — \/2/2, resulting in a complexity of 

ijv(l/2,V2 + o(l)). 
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of q 9 + 0(q 9 1 / 2 ), the smoothness probability for a random element is, asymptot- 
ically for q — > oo, given by Jj- So filling the matrix requires gin = O(g) trials, 
and the linear algebra step on a sparse matrix with 0(n) rows and columns and g 
entries per row takes 0(n 2 g) — 0(q 2 ) arithmetic operations. While this complexity 
is exponential in the group size q 9 , the generic algorithms of complexity q 9 ^ 2 are 
beaten as soon as g ^ 5. Notice that the two stages of the algorithm are quite 
unbalanced; by reducing the factor base size, an idea attributed to Harley in [36], 
one may slow down the relation collection process while speeding up the linear al- 
gebra. Letting n = 0(q r ) with r = 1 — l/(g + 1), the total complexity becomes 
0(<7 2 ~ 2 /( 9+1 )) arithmetic operations, which is better than the generic complexity 
already for g = 4. 

A further improvement is given by Thcriault in 69j. Again, the factor base 
comprises only a fraction of the prime divisors of degree 1, chosen arbitrarily, say 
n = q r with some parameter r to be optimised. The other prime divisors of degree 1, 
however, are not discarded any more, but form the set of large primes (that in this 
context, of course, are not larger than the others, but the terminology as well as 
the basic idea is inspired by the large prime variation in the factorisation context). 
A relation is retained if it either consists of prime divisors in the factor base (the 
case of a full relation) or if it contains exactly one large prime besides elements of 
the factor base (the case of a partial relation). Before entering the linear algebra 
step, k partial relations with the same large prime are combined to form k — 1 full 
relations; large primes that occur only once are eliminated. The net effect is similar 
to the choice of a smaller factor base: Relation collection is slowed down (but not 
as much), while the linear algebra is accelerated. Thcriault shows that the optimal 
value for r is 1 — 2/(2^+1) for a final running time of 0{q 2 - A/{29+1) ) arithmetic 
operations; this is slightly better than the generic algorithms already for g = 3. 

Finally, Gaudry, Thome, Theriault and Diem in [35] and Nagao in 155| have 
suggested the use of two "large" primes, which complicates the process of recom- 
bining partial relations, but allows to reduce the factor base size even further. The 
optimal value r = 1 — 1/ g yields a running time of 0(q 2 ^ 2 ^ 9 ) arithmetic operations. 

The above algorithms are formulated for Jacobians of hyperelliptic curves, but 
carry over to arbitrary curves. One conclusion to draw might be that curves of 
genus 3 and above should be banned from cryptography, as they are less secure 
than lower genus curves for the same group order. As a more nuanced reaction, 
one may also decide to increase the group size slightly, especially for a genus close 
to the cross-over point. In genus 3, for instance, one would need to increase the bit 
length of the group order by 12.5 % for an equivalent level of security compared 
to elliptic or genus 2 curves. This need not be penalising since machine word sizes 
introduce an effect of discretisation into the implementation. 

3. Subexponential algorithms of complexity L(l/3) 

Following the progress for factorisation algorithms, a complexity of £(1/3) has 
also been established for discrete logarithm computations in finite fields. First of 
all, Coppersmith's algorithm [15j treats F2™; it may be seen as a special case of 
Adleman's function field sieve [2], that applies to fields F p m with p small. The 
case of F p respectively F p m for m small is handled by Gordon's number field sieve 
|39j . Recently, it has been shown in [ 43] that the applicability domains of the two 
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algorithms intersect, so that a complexity of L(l/3) is obtained for arbitrary finite 
fields. 

3.1. The function field sieve. The function field sieve is of particular in- 
terest in our case since it is related to the algorithm for curves of Section 13.21 Its 
starting point is the observation that the smoothness results of Section 12.51 may be 
generalised by varying the size of the elements to be tested for smoothness and the 
smoothness bound. The following theorem is proved in [27] for algebraic curves 
whose genus grow sufficiently fast compared to a power of logg, but it holds in 
more generality. 

Theorem 3. Given an arithmetical formation of order N as in Section \2.5\ in 
which smoothness is governed by the Dickmann-de Bruijn function, let < [3 < 
a ^ 1 and c, d > 0. The probability that an element of size at most logLjv(a,c) 
is smooth with respect to the factor base containing the Ln((3, d) smallest primes is 
given by 

l/L N ( a -/?>-/?)£ + (1)) . 

The special case a = c = 1 and (3 = 1/2 has been used in the previous section 
to prove complexities in L(l/2). To reach a complexity of L(l/3), this theorem 
opens only one direction: Since the factor base has to be written down, one may 
not exceed (3 = 1/3, whence the size of the elements to be decomposed has to be 
lowered to logL(2/3). 

The function field sieve succeeds in this goal by representing the finite field F 2 ™ , 
say, in two different ways: First of all, as before, by ¥2[X)/(f) with / irreducible 
of degree to. Second, as residue class field of a place in a function field over F2, 
given by a Q a .b curve 6 :Y a — F(X, Y) — with b k. a. Suppose that the ideal (/) 
is totally split in F 2 (C), and let f = (f(X),Y - t{X)) be an ideal of F 2 [C] above 
(/). Then the two homomorphisms with domain F 2 [X, Y], given on the one hand 
by the reduction ip : F 2 [X, Y) — > F 2 [C] modulo the curve equation and on the other 
hand by the evaluation map (p : F 2 [X, Y] — > F 2 [X], Y h-> t(X), are compatible with 
the reductions modulo f and /: 

¥ 2 [X, Y] 

V :Y>->t{X) 

F 2 [6] = F 2 [X, Y] /(Y a -F(X,Y)) F 2 [X] 



F2M/I/) 

By drawing a random polynomial w £ F 2 [X, Y] , one thus obtains a relation in 
F 2 m whenever both images under ip and (p are smooth. Some technical complications 
stem from the fact that F 2 [C] is in general not a principal domain, so that instead of 
decomposing ip( w )i one is limited to decomposing the principal ideal it generates. 
Apart from this, decomposition on the function field side amounts to factoring the 
norm of ip(w) and is thus reduced again to factoring univariate polynomials. 

The degree a of the curve yields an additional degree of freedom; by choosing 
carefully the parameters, the degrees of the norm of tfj(w) as well as of <p(w) may 




F 2 [ei/f 
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be bounded by log L2™ (2/3). At first sight, the situation is unfavourable since two 
smoothness conditions have to be satisfied simultaneously instead of only one. But 
by ©i this influences only the constant, while the lower degree of the polynomials 
to be factored acts on the more important first parameter of the subexponential 
function. The worse constant, however, implies that the algorithms in L(l/3) are 
not immediately faster than those in L(l/2), but only from a certain input size on. 
The complexity of L(l/3) is only heuristic since it relies on the assumption that the 
norm of a polynomial in Fa[6] has the same smoothness probability as a random 
univariate polynomial of the same degree. 

3.2. An algorithm for a special class of curves. It is now a natural ques- 
tion to ask whether it is possible to reach a complexity of L(l/3) also for the discrete 
logarithm problem in Jacobians of curves over finite fields. Given the analogies be- 
tween finite fields and Jacobians used in Section [23] to develop a unified theory for 
algorithms of complexity in L(l/2), one might nourish some hope to similarly gen- 
eralise the algorithms in L(l/3) to curves. But the second way of representing ¥2™ 
as a residue field in a function field (respectively, F p as a residue field in a number 
field) does not seem to be parallelled in Jacobians. It is apparently impossible, for 
instance, to stack a second curve on top of the first one. 

The solution to this problem presented in [27j turns this apparent obstacle into 
an advantage: Indeed, it is suggested to work directly with the curves that appear 
in the function field sieve. The algorithm is not limited to C a .b curves. Let ao and 60 
be arbitrary positive constants. Consider a family of absolutely irreducible curves 
of genus g over a finite field F g of the form 

6 : Y a + F(X,Y) 

with F(X, Y) € F g [X, Y] of degree b in X and at most a — 1 in Y, where a and b 
are bounded by 

(4) a < a g 1/3 M- 1/3 and b < b„g 2/3 M 1/3 

with M = '° e j^° s ^ = log g (glogg). To apply the smoothness result of Theorem [31 
one furthermore has to impose that g (log a) 5 for some 8 > 2. 

For instance, one may choose ao > arbitrarily, fix bo = ^- and consider C a .h 
curves satisfying ([J|; this ensures that we are not speaking about the empty set. 

Relations are created in the same way as in Adleman-DeMarrais-Huang's al- 
gorithm of Section 12.41 As principal divisors are zero in the Jacobian, it suffices to 
draw random polynomials w — r(X) + s(X)Y and to verify whether their divisors 
are smooth; again, this amounts to factoring the norm of w in ¥ q [X] . 

Choosing as factor base the L q g (1/3, d) smallest prime divisors and the degrees 
of r and s as cg 1 / 3 M 2 / 3 , the following two properties hold: 

• First of all, the smoothness probability of the norm is (heuristically) given 
by l/L(l/3,e/d+o(l)) with e = (a c + b )/3. 

• Second, the sieving space, that is, the set from which the tuple (r, s) is 
drawn, is sufficiently large. In fact, it would be possible to increase the 
smoothness probability by selecting r and s of even smaller (in the extreme 
case, constant) degrees; but then the number of choices for w would be so 
restricted that one would not even obtain a single relation on average. As 
in other subexponential algorithms, one has to ensure that the number of 
random choices at one's disposition is at least as large as the number of 
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smoothness tests carried out. This is the main obstacle to decreasing the 
complexity below L(l/3). 



By computing the Smith normal form of the relation matrix, one obtains the order 
and the structure of the Jacobian as a product of cyclic groups. With the optimal 
choice of the free parameters c and d, the complexity becomes 



where c is the positive solution of the quadratic equation c 2 — |aoc — |&o = 0. 

It remains to be seen how to compute discrete logarithms. One needs (as in the 
third stage of Algorithm [2]) an additional relation containing the divisor Q whose 
logarithm is sought. Unfortunately, the size of Q cannot be controlled, and chances 
are that it is of order logL(l) rather than log£(2/3). Perturbing Q randomly 
by elements of the factor base, the smoothness theorem [3] implies that in average 
time -L(l/3), one may obtain a relation containing Q and prime divisors Qi of size 
logL(2/3). It is possible to use an approach called special q descent in the context of 
factorisation, creating for each Qi a relation containing it by considering functions 
w = r(X) + s(X)Y passing through Qi. But in order to have a reasonable chance 
of finding a relation, one needs to arrange some freedom for the degrees of r and s; 
with the additional restriction of passing through one of the Qi , one again has to 
decompose a divisor of degree logL(l), and the process turns in circles. 

The solution suggested in |27j consists in relaxing slightly the constraint on the 
running time. Let thus e > be fixed. In time L(l/3 + e), one may create a relation 
containing Q and further prime divisors Qi of degree log L (2/3 — e). For each Qi, 
a special q descent allows to replace it in time £(1/3 + e) by a linear combination 
of prime divisors Qij of degree logL(2/3 — 2e); these Qij are again treated by a 
special q descent, and so forth. Whenever the degree of a Qij,... drops below the 
barrier of £(1/3 + e), the descent returns primes of degree logL(l/3), which are 
elements of the factor base, and the process terminates. 

This descent approach creates a tree in which all nodes have a degree in 0(g), 
whose height is bounded by l/(3e), and whose leaves are in the factor base. As e is 
a constant, the number of nodes in the tree is polynomial in g and thus generously 
covered by any subexponential function. So the following result holds: 

Theorem 4 (heuristic) . Let there be given a family of curves C as above, sat- 
isfying in particular ^ and g ^ (\ogq) s for some 6 > 2, and let e > 0. Assum- 
ing heuristically that the divisors encountered during the algorithm have the same 
smoothness probability of Theorem^ as random divisors of the same degree, discrete 
logarithms in the Jacobian of C can be computed in time L qB (l/2> + e, o(l)). 

Concerning the constant of the subexponential complexity, it suffices to note 
that the existence of an algorithm in £(l/3 + e/2,c) for some constant c allows to 
reach L(l/3 + e, o(l)) by 

The degrees a in A and b in Y of the curve may be balanced differently. Let- 
ting a w g a and b m g x ~ a for some a between 1/3 and 1/2, the algorithm for 
computing the group structure remains of complexity L(l/3) (with a different con- 
stant depending on a), while the time for computing discrete logarithms becomes 
L(a + e). When a drops below 1/3, also the group structure computation becomes 
slower than L(l/3); its complexity turns out to be L(x(a)) for x(a) G [1/3,1/2] 
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and, in particular, L(l/2) for hyperelliptic curves. This is apparently the first nat- 
ural occurrence of an algorithm with a subexponential complexity in which the first 
parameter is different from 1/3 and 1/2. 

3.3. The low genus case. In the spirit of Section |2~6"1 Diem has considered 
in [20] a particular class of low genus curves, in which discrete logarithms are 
easier to compute. His ideas are independent of the algorithm of complexity L(l/3) 
presented in the previous section, but it turns out that the gain with respect to 
general curves is in both cases due to a curve degree that is comparatively small for 
a given genus. Let again be given a family of curves with q tending to infinity, this 
time represented by plane models of fixed degree d instead of a fixed genus. The 
factor base is formed, as in Section [231 by the prime divisors of degree 1, otherwise 
said, the rational points on the curve. Relations are created, as in the algorithm 
of Section 13.21 and as in Adleman-DeMarrais-Huang's algorithm, by computing 
divisors of polynomials; so like these two algorithms, Diem's approach is heuristic. 
He considers furthermore only the simplest polynomials, namely lines. By Bezout's 
theorem, they intersect the curve in d points (that may have coordinates in an 
extension field) ; so a relation is obtained whenever a polynomial of degree d factors 
into linear factors over the base field, as opposed to Section 12.61 in which the 
polynomial was of degree g. Using the double prime variation, one obtains an 
algorithm of heuristic complexity 0(q 2 ~ 2 ^ d ), measured in arithmetic operations. 
Diem suggests an additional trick to lower the complexity; he restricts to lines drawn 
between two points that are already in the factor base. Then a polynomial of degree 
only d— 2 has to split into linear factors to yield a relation, and the complexity of the 
discrete logarithm algorithm drops to 0(q 2 ^ 2 ^ d ^ 2 ^). This algorithm is preferable 
to the one described in Section l2~6l whenever d — 2 < g. Hyperelliptic curves are 
not concerned, but the impact on G a ^ curves with 3 ^5 a < b is dramatic. The 
equations d = b and g = ( a ~ 1 K b ~ 1 ) imply that discrete logarithms are obtained 
with 0(g 2 ~ 2 ( a_1 )/( 2 f _ ( a_1 ))) operations. In particular, in the case a = 3 and 6 = 4 
the complexity is 0(q); so the discrete logarithm problem in non-hyperelliptic C a .f, 
curves of genus 3 is not harder than in hyperelliptic curves of genus 2 defined 
over the same finite field, while the bit length of the group order is 50 % higher 
and the arithmetic is considerably more involved. This result implies that non- 
hyperelliptic curves are not suited for the implementation of discrete logarithm 
based cryptosystems. 

4. Implementations 

The latest data points for computing discrete logarithms with a generic algo- 
rithm are from 2002 and 2004 and concern elliptic curves over prime fields and fields 
of characteristic 2 of 109 bits [131 114] ; the 2004 computation involved 2600 proces- 
sors running over 17 months. 

A subexponential algorithm for hyperelliptic curves has first been implemented 
by Flassenberg and Paulus [29] . Their largest example, a curve of genus 12 over Fn, 
is far from reaching a cryptographic parameter size; since the cardinalities of these 
high genus curves were unknown, the authors had to resort to expensive Hermite 
normal form computation instead of solving a sparse linear system. Gaudry reports 
on an implementation of the algorithm of Section [276] (without large primes) in 36 ; 
his largest examples, curves of genus 6 over F5026243 respectively F 2 23 , surpass the 
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generic record of the previous paragraph and are very close to cryptographic group 
orders. 

The algorithm of Section 13.31 including the double large prime variation, has 
been implemented by Diem and Thome for a 63,4 curve of genus 3 over F 2 3i , see 
1 2 1 j . Their computation taking only a few days with the relation collection carried 
out on a single CPU, this should rather be seen as a proof of concept for the 
algorithm than as a benchmark on what is achievable today. The authors estimate 
that discrete logarithms on a 63,4 curve with a group order of 111 bits could be 
obtained by an effort comparable to that of factoring a 664 bit RSA integer. 

5. Future research 

The algorithm of Section I3~2l of complexity L(l/3 + e) for computing discrete 
logarithms in certain curves opens a new direction of research. During the 10th 
Workshop on Elliptic Curve Cryptography (ECC 2006), Diem has announced an 
algorithm of complexity L(l/3) inspired by these ideas, but with a quite different 
point of view |19) : for the time being, it is unclear whether his class of curves is 
different from the one considered in Section It would be interesting to obtain 
a complete classification of the curves that are subject to a subexponential attack 
of complexity better than L(l/2). 

In a recent preprint 107 , Smith has found a novel attack on certain hyperelliptic 
curves of genus 3. He explicitly computes an isogeny to a non- hyperelliptic curve 
of genus 3, which allows to transport the discrete logarithm problem and to solve 
it via the algorithm of Section 13.31 Heuristically, the attack applies to about one 
out of five hyperelliptic curves of genus 3. However, by considering more general 
isogenies, it appears likely that the result could be extended to other curves, which 
would cast further doubt on the use of genus 3 curves in cryptography. 
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